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1  Introduction 


This  report  presents  two  examples  demonstrating  the  use  of  an  offline  characterization  mech¬ 
anism  for  Ada1  procedures.  By  “offline  characterization”  we  mean  the  characterization  of 
the  actions  of  a  procedure  independent  of  context.  The  characterization  is  performed  using 
the  State  Delta  Verification  System  (SDVS)  [1].  The  subset  of  Ada  in  which  procedures 
may  be  written  is  Stage  2  Ada  [2],  the  subset  of  Ada  recognized  by  SDVS  in  FY90.  The 
offline  characterization  feature  of  SDVS  is  described  in  more  detail  in  [3]. 

Section  2  presents  background  on  the  offline  characterization  mechanism,  paraphrasing 
some  of  the  information  presented  in  [3].  Section  3  gives  a  simple  example  of  the  offline 
characterization  of  an  Ada  subprogram,  demonstrating  the  use  of  the  characterization  in  a 
proof  about  an  Ada  program  containing  the  subprogram.  Section  4  gives  a  more  complicated 
example,  involving  the  offline  characterization  of  two  subprograms,  one  of  which  utilizes  the 
other.  Section  5  concludes  this  report. 


’Ada  is  a  registered  trademark  of  t  ho  U.  S.  Government  -  Ada  Joint  Program  Office. 


1 


2  Background 

SDVS’  offline  characterization  facility  comprises  the  following  three  commands: 

•  the  creatcadalemma  command,  which  is  used  to  define  a  lemma  about  an  Ada  pro¬ 
cedure,  in  the  form  of  a  state  delta,  and  which  collects  other  necessary  descriptive 
information  from  the  user; 

•  the  proveadalemma  command,  which  sets  up  an  environment  within  which  the  lemma 
(state  delta)  can  be  proved — this  must  be  at  the  top  level  of  symbolic  execution,  and 
we  do  not  allow  lemmas  dependent  on  the  dynamic  program-execution  context;  and 

•  the  invokcadalemma  command,  which  uses  a  previously  created  lemma  as  a  template 
to  construct  a  usable  state  delta,  which  in  turn  is  then  applied  to  mimic  the  actions 
of  the  procedure  call. 

Perhaps  the  best  way  to  discuss  these  commands  is  through  examples.  In  sections  to  L  iow, 
we  present  annotated  SDVS  sessions  in  which  Ada  lemmas  are  created,  proved,  and  invoked. 
The  target  programs  are  simple,  but  adequate  for  the  purposes  of  testing  and  illustration. 

At  various  places  in  the  discussion  of  the  examples,  we  need  to  refer  to  specific  steps  in  the 
symbolic  execution  of  procedure  calls.  This  subject  was  discussed  at  length  in  [3];  for  the 
reader’s  convenience,  we  list  the  steps  here: 

(I)  Declarations  of  the  formal  parameters  of  the  procedure  are  processed:  The  uni¬ 
verse  of  places  is  expanded  to  include  new  places  u  and  v. 

(II)  The  actual  parameters  are  evaluated,  and  the  resulting  values  are  bound  to  the 
piaces  u  and  v. 

(III)  The  declarations  of  the  local  variables  of  the  procedure  are  processed:  The 
universe  of  places  is  expanded  to  include  a  new  place  a. 

(IV)  The  body  of  the  procedure  is  executed  symbolically. 

(V)  Undoing  (III):  The  local  variables  are  undeclared,  so  a  is  no  longer  among  the 
places. 

(VI)  in  out  and  out  formal  parameter  values  are  assigned  to  the  corresponding  ac¬ 
tual  parameters:  These  values  are  determined  and  bound  to  the  appropriate 
places. 

(VII)  Undoing  (I):  The  formal  parameters  are  undeclared,  so  u  and  v  arc  deleted 
from  the  universe  of  places. 
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3  Example  I:  The  exchange  procedure 


Our  first  example  program  includes  a  two-parameter  procedure  that  exchanges  the  values 
of  its  parameters  (two  integers),  as  well  as  a  main  program  to  test  the  procedure.  This 
program  is  shown  below. 

PROCEDURE  xtest  IS 

x,  y,  z  :  integer  :=  1; 

PROCEDURE  exchange(a,  b  :  IN  OUT  integer)  IS 
c  :  integer; 

BEGIN 

c  :  =  a; 
a  :=  b; 
b  :=  c; 

END  exchange; 

BEGIN 

get(x) ; 
get (y) ; 
get (z) ; 

exchange (x,  y) ; 
exchange (y,  z); 
put(x) ; 
put(y) ; 
put(z) ; 

END  xtest; 

The  lemma  will  simply  assert,  in  the  form  of  a  state  delta,  the  fact  that  the  procedure 
exchanges  its  parameters.  It  will  be  invoked  twice  in  the  proof  of  a  state  delta  describing 
the  effect  of  the  program  as  a  whole,  which  is  simply  this:  if  the  input  stream  consists  of 
three  integers  i,  j  ,  and  k,  then  the  output  stream  will  consist  of  the  integers  j  ,  k,  and 
i,  in  that  order., 

In  the  annotated  sample  session  to  follow,  what  the  user  types  is  shown  in  italics,  whereas 
the  computer’s  output  is  in  typewriter-style. 

First,  we  read  a  file  that  contains  the  predefined  state  delta  describing  the  action  of  the  test 
program. 

<sdvs.l>  read 

path  nameff oo. proof s]  :  testproofs/xtest. proofs 

Definitions  read  from  file  Mtestproof s/xtest .proof sM 
—  (xtest . sd, xtest  proof ) 

<sdvs.2>  pp 

object:  xtest.  sd 

[sd  pre:  (adaCxtest .ada)) 
comod:  (all) 
mod:  (all) 
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post:  (#xtest\stdout [1]  *  .xtest\stdin[2] t 
#xtest\stdout [2]  *  .xtest\stdin[3] , 
#xtest\stdout[3]  *  .xtest\stdin[l])] 


Next,  we  use  the  adair  command  to  parse  and  translate  the  program  file. 

<sdvs.2>  adatr 

path  name  [f  oo .  ada]  :  testproofs/xtest.ada 
Parsing  Star**  2  Ada  file  —  "testproofs/xtest.ada" 

Translatin;  Stage  2  Ada  file  —  "testproofs/xtest.ada" 


The  creatcadalcmrna  command  is  used  to  create  the  lemma,  which  will  be  a  certain  state 
delta. 

<sdvs.3>  createadalemma 

lemma  name:  exchange. lemma 
file  name:  testproofs/xtest.ada 
subprogram  name:  exchange 
qualified  name:  xtest. exchange 
preconditions [] : 

mod  list  []  :  a,b 
postconditions:  #a=.b,#b=.a 

createadalemma  —  [sd  pre:  (.xtest\pc  *  at (xtest .exchange)) 
comod:  (all) 

mod:  (xtest\pc,a,b) 
post:  (#a  *  .b,#b  *  .a, 

#xtest\pc 

*  exited(xtest. exchange))] 


Notice  that  the  system  supplies  additional  entries  for  the  state  delta  besides  those  given  by 
the  user.  The  condition 

.xtest\pc  =  at(xtest. exchange) 

becomes  true  exactly  when  the  symbolic  execution  of  a  call  to  procedure  exchange  has 
completed  Step  II.  Similarly,  the  condition 

#xtest\pc  =  exited(xtest. exchange) 

will  be  true  when  the  symbolic  execution  of  a  call  has  completed  Step  V.  Also,  xtestApc 
should  always  be  part  of  the  mod  list  for  a  state  delta  dealing  with  any  part  of  the  program 
xtest.  To  identify  fully  the  code  to  which  the  lemma  refers,  one  must  supply  a  full  path 
name  to  the  file,  and  a  fully  qualified  procedure  name.  The  fully  qualified  name  in  this  case 
is  “xtest .  exchange;”  in  general,  it  is  a  complete  list  of  procedure  and  block  names,  in  the 
order  of  containment  and  ending  with  the  given  procedure,  with  all  names  separated  by 
periods.  (If  a  containing  block  is  unnamed,  the  parser  supplies  an  internal  name,  which  in 
principle  could  be  used  in  this  context;  however,  it  is  recommended  that  the  user  explicitly 
name  the  containing  block.) 

The  provcadalcmma  command  causes  SDVS  to  set  up  the  environment  for  proving  the 
lemma. 
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<sdvs.4>  pt oveadalemma 

Ada  lemma  name:  exchange.lemma 
proof  []  : 

A  name  of  a  previously  :reated  and  saved  proof  may  be  entered  at  this  point,  or,  as  in  this 
case,  an  empty  line  signals  an  interactive  proof. 

The  provcadalemma  command  must  be  issued  at  SDVS’  top  level,  that  is,  in  an  environment 
in  which  no  variable  bindings  have  occurred.  The  system  automatically  emits  and  applies 
state  deltas  to  set  up  the  environment  appropriate  for  proving  the  lemma: 

open  —  [sd  pre:  (alldis joint (xtest , .xtest) , 

covering( . xtest ,xtest\pc , exception , 

xtest\stdin,xtest\stdin\ctr , 
xtest\stdout ,xtest\stdout\ctr , x , 

y,z)  * 

<adatr  exchange  (a,  ...);>) 
comod:  (all) 
mod:  (all) 

post.  ([sd  pre:  (.xtest\pc  =  at  (xtest  .exchange)) 
comod:  (all) 

mod:  (diff (all, 

dif  f  (union  (xtest \pc  exception , 
xtest\stdin, 
xtest \stdin\ctr , 
xtestXstdout , 
xte8t\stdout\ctr , x , y , z , 
a,b), 

union (xtest\pc , 

xtest\pc,a,b)))) 

post:  (#a  *  ,b,#b  *  .a, 

#xtest\pc 

*  exited(xtest. exchange) )] )] 

instantiate  in  q(l)  —  all  top-level  existential  variables 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (xtest\pc , xtest) 
post:  (alldisjoint (xtest , .xtest, a, b) , 
covering (#xtest , .xtest, a, b) , 

declare(a,type(integer)) ,declare(b,type(integer)) , 

<adatr  null;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (xtest \pc ,a,b) 
post:  (#a  =  .a,#b  -  .b, 

<adatr  null ;>)] 

apply  —  [sd  pre:-  (true) 
comod:  (all) 
mod:  (xtest\pc) 

post:  (#xtest\pc  =  at (xtest . exchange) , 

<adatr  null;>)] 
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go  —  breakpoint  reached 


open  —  [sd  pie:  (.xtest\pc  *  at (xtest. exchange)) 
coBod:  (all) 

Bod:  (diff(all, 

dif f (union (xtest \pc , exception , 
xtest\stdin, 
xtest\stdin\ctr, 
xtest\stdout, 

xtest\stdout\ctr,x»y,z,a,b) , 
union (xtest\pc,xtes' \pc,a,b)))) 
post:  (#a  *  .b,#b  ■  .a, 

#xtest\pc  *  exited(xtest. exchange))] 

The  environment  at  this  point  is  identical  to  what  would  exist  after  the  completion  of  Steps 
I— II  of  the  symbolic  execution  of  a  call  to  the  procedure.  Examining  the  output  above, 
we  see  that  this  environment  wets  created  by  opening  the  proof  of  a  state  delta  having  (1) 
a  precondition  establishing  the  necessary  environment,  and  (2)  a  postcondition  consisting 
of  the  state  delta  of  the  lemma.  The  last  step  above  opens  the  proof  of  the  latter  state 
delta.  The  system’s  response  to  each  intermediate  apply  command  (these  are  internally 
generated)  shows  the  state  delta  being  applied,  and  the  adatr  fields  show  the  particular 
Ada  program  statement  with  which  the  currently  applied  state  delta  is  associated. 

The  reader  will  notice  that  the  last  state  delta  opened  for  proof  is  not  exactly  the  same 
as  that  of  the  lemma:  the  mod  list  is  apparently  more  complex.  This  is  done  to  allow 
for  modification,  during  the  proof,  of  new  places  created  by  declarations  arising  during  the 
symbolic  execution  of  the  procedure  body.  An  evaluation  of  the  expression  for  the  mod  list 
will  show  that  in  the  current  context  it  describes  no  more  than  the  places  named  in  the 
original  mod  list.  However,  the  value  of  this  expression  will  change  appropriately  as  other 
places  are  created  through  declaration,  or  deleted  by  undeclaration. 

The  usable  command  will  help  us  ascertain  the  current  state  of  symbolic  execution. 

<sdvs.4.5.1>  usable 
No  usable  state  deltas. 


q(l)  exists  c  ([sd  pre:  (true) 
comod:  (all) 

nod:  (xtest\pc, xtest) 
post:  (alldisjomt  (xtest ,  .xtest ,c) , 
covering(#xtest , . xtest, c) , 
declare(c,type(integer)) , 

<adatr  c  :  integer>)]) 

This  shows  that  symbolic  execution  is  just  at  the  point  of  the  declaration  of  the  local  vaiiablu 
in  the  exchange  procedure — i.e.,  just  before  Step  III  of  processing  a  procedure  call.  The 
next  step  will  be  an  instantiation  of  the  quantified  statement  true  at  this  point. 

<sdvs.4,5.1>  instantiate 
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existential  formula:  q 
number:  1 

existential  variable []: 

instantiate  in  q(l)  —  all  top-level  existential  variables 
<sdvs.4.5.2>  usable 


u(l)  [sd  pre: 
comod: 
mod: 
post : 


(true) 

(all) 

(xtest\pc, xtest ) 

(alldisjoint (xtes+, .xtest ,c) , 
covering(#rtest , .xtest ,c) , 
declare(c .type (integer)) , 
<adatr  c  :  integer>)] 


q(l)  exists  c  ([sd  pre:  (true) 
comod:  (all) 

mod:  (xtestNpc , xtest) 
post :  (alldisjoint (xtest, .xtest ,c) , 
covering(#xtest, . xtest, c) , 
declare(c, type (integer)) , 
<adatr  c  :  integer>)]) 


<sdvs.4.5.2>  apply 

sd/number [highest  applicable/once] : 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (xte8t\pc,xte8t) 
post :  (alldisjoint (xtest , . xtest ,c) , 
covering (#xtest, . xtest, c) f 
declare (c, type (integer)) , 
<adatr  c  :  integer>)] 


<sdvs.4.5.3>  usable 

u ( 1 )  [sd  pre:  (true) 
comod:  (all) 

mod:  (xtest\pc,c) 
post:  (#c  *  .a, 

<adatr  c  :=  a ; > )  ] 


No  usable  quantifiers. 


The  instantiation  of  the  quantifier  and  the  application  of  state  deltas  to  effect  the  necessary 
declarations  brings  us  to  the  first  executable  statement  in  the  body  of  the  procedure. 

<srivs.4.5.3>  go 

until[]:  #xtcst\pc  =  exitedfxtcst. exchange) 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (xtest\pc,c) 
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post:  (#c  *  .a, 

<adatr  c  :*  a;>)] 

apply  —  [sd  pre:  (true) 
conod:  (all) 

■od:  (xtest\pc,a) 
poet:  (#a  =*  .b, 

<adatr  a  b ; >) ] 

apply  —  [sd  pre:  (true) 
coaod:  (all) 

■od:  (xtest\pc,b) 
post:  (#b  *  .c, 

<adatr  b  c;>)] 

apply  —  [sd  pre:  (true) 
corned:  (all) 

■od:  (xtest\pc, xtest ,c) 
post :  (covering ( . xtest , ixteat , c) t 
undeclare(c) , 

<adatr  c  :  integer>)] 

apply  —  [sd  pre:  (true) 
coaod:  (all) 

■od:  (xtest\pc) 

post:  (#xtest\pc  *  exited (xtest .exchange) , 
<adatr  null;>)] 

close  —  7  steps/applications 

close  —  5  steps/applications 

proveadaleaaa  —  [sd  pre:  (. xtest \pc  *  at (xtest. exchange)) 
conod:  (axl) 

■od:  (xtest\pc,a,b) 
post:  (#a  *  .b,#b  *  .a , 

#xtest\pc  *  exited(xtest. exchange))] 


The  facts  to  be  proven  here  are  sufficiently  simple  that  the  proof  of  the  lemma  closes 
automatically. 

The  lemma  being  proved,  the  next  step  is  to  reinitialize  SDVS,  and  prove  the  overall  state 
delta  xtest  .sd. 

<sdvs.4>  init 
proof  name[]: 

State  Delta  Verification  System,  Version  9 

Restricted  to  authorized  users  only. 

<sdvs .  1  >  prove  xtest. sd 

state  delta:  proof []: 

open  —  [sd  pre:  (ada(xtest.ada)) 
conod:  (all) 
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mod:  (all) 

post:  (#xtest\8tdout [1]  **  .xtest\stdin[2] , 
#xteBt\stdout [2]  *  .xtest\stdin[3] , 
#xtest\8tdout [3]  *  .xtG8t\stdin[l])] 


Complete  the  proof. 
<sdv8.1.1>  usable 


u(l) 


[sd  pre:  (true) 
comod:  (all) 
mod:  (xtestNpc) 

post:  (<adatr  procedure  xtest  is 

x,  ...  :  integer  :* 
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begin 
get  (x); 

end  xtest ;>)] 


No  usable  quantifiers. 


The  go  command  can  be  used  to  cause  the  system  to  apply  state  deltas  and  perform  in¬ 
stantiations  until  a  specified  condition  holds. 

<sdv8.1.1>  go 

until  []:  #xtest\pc  =  at(xtest.  exchange) 


This  go  command  will  bring  us  into  the  first  call  to  the  exchange  procedure,  in  a  position 
to  apply  the  len  ma. 


apply  —  [sd  pre:  (true'* 
comod:  (all) 
mod:  (xtest\pc) 

post:  (<adatr  procedure  xtest  is 

x,  ...  :  integer  :=  1 

begin 
get  (x); 

end  xtest ;>)] 


instantiate  in  q(l)  —  all  top-level  existential  variables 


apply  —  [sd  pre: 

comod: 
mod: 
post : 


(true) 

(all) 

(xtest\pc, xtest) 

(alldisjoint(xtest , .xtest ,x,y,z) , 
covering (#xtest, .xtest ,x,y,z) , 

declare (x, type (integer)) ,declare(y , type (integer)) , 
declare (z, type (integer)) , 

<adatr  x,  ...  :  integer  :»  1»] 
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aPPly  —  C8d  Pre:  (true) 
conod:  (all) 
nod:  (xtest\pc,x,y,z) 
poet:  (#x  *  l,#y  *  l,#z  *  1, 

<adatr  x,  ...  :  integer  :*  1>)] 

apply  —  [sd  pre:  (true) 
conod:  (all) 

nod:  (xteat\pc,x,xte8t\stdin\ctr) 
post:  (#x  *  .xtest\stdin[.xtest\stdin\ctr] , 
#xtest\stdin\ctr 

*  .xtest\stdin\ctr  +  i, 

<adatr  get  (x) ;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

nod:  (xtest\pc,y,xtest\stdin\ctr) 
post:  (#y  *  .xte8t\stdin[.xtest\8tdin\ctr] , 
#xtest\8tdin\ctr 

*  .xtest\stdin\ctr  +  1, 

<adatr  get  (y) ;»] 

apply  —  [sd  pre:  (true) 
conod:  (all) 

n^d:  (xte8t\pctz,xte8t\8tdin\ctr) 
post:  (#z  *  .xtes«\stdin[.xte8t\stdin\ctr] , 
#xtest\stdin\ctr 

*  .xtestXstdinXctr  +  1, 

<adatr  get  (z) ;>)] 

instantiate  in  q(l)  —  all  top-level  existential  variables 

apply  —  [sd  pre:  (true) 
conod:  (all) 

nod :  (xtest\pc ,xtest) 
post:  (alldisjoint(xtest, .xtest,a,b) f 
covering (txtest, .xtest,afb) , 

declare (a, type (integer)) , declare (b, type (integer)) , 
<adatr  exchange  (x,  ...)>)] 

apply  —  [sd  pre:  (true) 
conod:  (all) 
nod:  (xtest\pc ,a,b) 
post:  (#a  «  .x,#b  *  .y, 

<adatr  exchange  (x,  ...)>)] 

apply  —  [sd  pre:  (true) 
conod:  (all) 
nod:  (xtest\pc) 

post:  (#xtest\pc  *  at (xtest . exchange) , 

<adatr  exchange  (x,  ...)>)] 

go  —  breakpoint  reached 
<sdv8.1.12>  usable 
No  usable  state  deltas. 
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q(l)  exists  c  ([sd  pre:  (true) 
comod:  (all) 

mod-'  (xtest\pc, xtest) 
post  :•  (alldis  joint  (xtest ,  .xttst  ,c) , 
covering(#xtest , .xtest »c) , 
declare(c,type(integer)>  F 
<adatr  c  :  integer^)]) 


Symbolic  execution  is  now  at  precisely  the  point  whore  Steps  1  pud  II  of  the  fust  call  to  the 
exchange  procedure  have  been  completed,  where  the  next  step  would  be  the  instantiation 
for  the  declaration  of  the  local  variable.  Instead,  we  can  invoke  the  lemma  to  bypass  the 
symbolic  execution  of  the  procedure  body. 


<sdvs .  1 . 12>  invokeadalemma 

Ada  lemma  name:  exchange. lemma 


invokeadalemma  — 


[sd  pre: 
comod: 
mod: 
post : 


(.xtf?8t\pc  =  at  (xtest  .exchange) ) 
(all) 

(xtest\pc,a,b) 

(#a  ^  .bf#b  «  .  a» 

#xtest\pc 

*  exit ed(xtest .exchange) t 
<adatr  return; >)] 


<sdvs.l.!3>  usable 


u(l)  [sd  pre:  (true) 
comod:  (all) 
mod:  (xtest\pc) 

post:  (#xtest\pc  *  exited (xte*rt .exenange) » 
<adatr  exchange  (x,  ...)>)] 


No  usable  quantifiers. 

<sdvs.l.l3>  apply 

sd/number [highest  applicable/once] : 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (xtest\pc> 

post:  (#xtest\pc  *=  exited(xtest .exchange) , 
<adatr  exchange  (x,  ...)>)] 


<sdvs,1.14>  u-ahle 

u(l)  Tsd  pre:  (true) 
comod:  (all) 

mod:  (xtest\pc ,x,y) 
post:  (#x  =  . a,#y  =  .b, 

<adatr  exchange  (x,  ...)>)] 
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No  usable  quantifiers. 


This  point  is  immediately  following  completion  of  Step  V.  Two  more  state  deltas  are  applied 
to  complete  Steps  VI  and  VII. 


<sdvs,1.14>  apply  2 
sd/number [highest 
apply  —  [sd  pre: 

cosod: 
nod: 
post : 


applicable/once] : 
(true) 

(all) 

(xtest\pc,x,y) 

(#x  «  .a,#y  -  .b, 
<adatr  exchange  (x, 


...)»] 


apply 


[sd  pre: 
conod: 
nod: 
post: 


(true) 

(all) 

(xtest\pc  , xtest ,a,b) 
(covering(.xtest,ixtest,a,b) , 
undeclare (a, b) , 

<adatr  exchange  (x,  ...)>)] 


<sdvs.l.l6>  usable 


No  usable  state  deltas. 


q(l)  exists  a!2  exists  b ! 2  ([sd  pre:  (true) 

conod:  (all) 

nod:  (xtest\pc, xtest) 
post:  ( alldis joint (xtest , 

.xtest ,a!2,b!2) , 
covering (txtest , 

.xtest,a!2,b!2) , 
declare (a ! 2 , type  (  integer)  )  , 
declare(b 12, type (integer) ) , 
<adatr  exchange  (y,  ...)>)]) 


This  is  the  beginning  of  the  next  Ada  statement. 

We  go  on  to  the  point  where  the  lemma  can  be  invoked  again,  we  invoke  it,  and  we  then 
apply  the  state  deltas  to  complete  the  return  from  the  call. 

<sdvs,1.16>  go 

until[]:  #xtest\pc  =  at  (xtest.  exchange) 

instantiate  in  q(l)  —  all  top-level  existential  variables 

apply  —  [sd  pre:  (true) 
conod:  (all) 

nod:  (xtest\pc,xte8t) 
post:  (alldisjoint (xtest , .xtest ,a!2»b!2) , 
covering (txtest , ,xtest,a!2,b!2) , 
declare (a! 2, type (integer)) , 
declare (b! 2, type (integer)) , 
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<adatr  exchange  (y,  ...)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (xtest\pcla!2,b!2) 
post:  (#a!2  =  .y,#b!2  =  ,zt 

<adatr  exchange  (y,  ...)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (xtest\pc) 

post:  (#xtest\pc  *  at (xtest .exchange) , 

<adatr  exchange  (y,  ...)»] 

go  —  breakpoint  reached 

<sdvs .  1 . 20>  invokeadalcmma 

Ada  lemma  name:  exchange. lemma 

invokeadalemma  —  [sd  pre:  (.xtest\pc  »  at (xtest .exchange) ) 
comod:  (all) 
mod:  (xtest\pc,a!2,b!2) 
post:  (#a!2  *  .b!2,#b!2  *  .a!2, 
#xtest\pc 

*  exited(xtest .exchange) , 
<adatr  return; >)] 

<sdvs.l.21>  apply  3 

sd/number [highest  applicable/ once] : 
apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (xtest\pc) 

post:  (#xtest\pc  *  exited(xtest .exchange) , 
<adatr  exchange  (y,  ..,)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (xtest\pc ,y ,z) 
post:  (#y  »  . a!2 ,#z  =  ,b!2t 

<adatr  exchange  (y,  ...)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (xtest\pc, xtest ,a!2,b!2) 
post :  (covering ( . xtest , #xtes t , a ! 2 ,b ! 2) , 
undeclare(a!2,b!2) , 

<adatr  exchange  (y,  ...)>)] 

<sdvs.l.24>  usable 

u(l)  [sd  pre:  (true) 
comod:  (all) 
mod:  (xtest\pc, 

xtest\stdout [ . xtest\stdout\ctr] , 
xtest \stdout\ctr) 

post:  (#xtest\stdout [.xtest\st.dout\ctr]  =  .x, 

#xtest\8tdout\ctr  =  .xtest\stdout\ctr  +  1, 


15 


<adatr  put  (x);>)] 


Ho  usable  quantifiers. 


We  now  simply  go  on  through  the  rest  of  the  test  program. 

<sdvs,1.12>  invokeadalemma 
<sdvs.l.24>  go 

until[]:  terminated(xtest) 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (xtestXpc, 

xtestXstdout [ . xtest\stdout\ctr] * 
xtest\8tdout\ctr) 

post:  (#xtest\stdout [.xtestXstdoutXctr]  *  ,x» 

#xtest\stdout\ctr 

*  ,xtest\stdout\ctr  +  1, 

<adatr  put  (x) ;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (xtestXpc, 

xtestXstdout [ . xtest\stdout\ctr] , 
xtestXstdoutXctr) 

post:  (#xtest\stdout[. xtestXstdoutXctr]  ■  ,y, 

#xtest\8tdout\ctr 

*  .xtestXstdoutXctr  +  1, 

<adatr  put  (y) ;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
mod:  (xtestXpc, 

xtestXstdout [.xtestXstdoutXctr] , 
xtestXstdoutXctr) 

post:  (#xtest\stdout[.xtest\8tdout\ctr]  *  .z, 

#xtest\stdout\ctr 

*  .xtestXstdoutXctr  +  1, 

<adatr  put  (z) ;>)] 

close  —  26  steps/applications 

<sdvs.2>  ps 

«  initial  state  » 
proved  xtest.sd  <1> 

— >  you  are  here  <— 

<sdvs.2> 

1  he  postcondition  of  xtest.sd  is  sufficiently  simple  that  the  system  can  verify  it  without 
assistance,  and  the  proof  closes  automatically. 
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The  following  is  the  saved  version  of  the  proof  presented  above: 

;  Syntax:  Common-lisp;  Package:  USER;  Mode:  LISP  -*-“*/♦ 

(defsd  xtest.sd 

"[sd  pre:  (adaCxtest .ada)) 
comod:  (all) 
mod:  (all) 

post:  (#xtest\\stdout [l]*.xtest\\stdin[2] » 
#xtest\\stdout  [2]  * .  xt estWstdin  [3]  , 
#xtest\\stdout  [3]  * .  xtestWstdin  [1]  )]  M) 

(defproof  xtest. proof 

" (adatr  \"testproof s/xtest . ada\“ , 
createadalemma  exchange. lemma 

file:  \"testproof s/xtest .ada\" 
procedure:  exchange 
qualified  name:  xtest .exchange 
precondition: 

mod  list:  (a,b) 

postcondition:  (#a  *  .b,#b  =  .a), 
proveadalerima  exchange . lemma 
proof : 

(go  #xtest\\pc  »  exicecKxtest  .exchange)  , 
close) , 

prove  xtest.sd 
proof : 

(go  #xtest\\pc  =  at (xtest .exchange) t 
invokeadalemma  exchange. lemma, 
go  #xtest\\pc  *  at(xte8t. exchange) , 
invokeadalemma  exchange. lemma, 
go  terminated(xtest) , 
close))") 


The  reader  may  well  wonder  why  the  Ada  lemma  can  be  invoked  only  after  a  call  to  the 
procedure  has  been  partly  processed  (manually),  and  why  afterwards  we  still  have  to  apply 
two  more  state  deltas  to  complete  the  call.  Why  should  not  the  system  be  programmed  to 
perform  these  instantiations  and  state  delta  applications  automatically?  In  fact,  there  is  no 
reason  why  this  would  not  have  worked  in  our  example.  But  here,  all  the  conditions  to  be 
proven  were  simple  enough  that  they  could  be  verified  by  SDVS’  simplifier  and  propagated 
automatically.  With  more  complex  conditions,  perhaps  involving  quantifiers,  this  would  not 
be  the  case,  and  the  user  would  need  to  assist  the  system  in  propagating  these  conditions 
through  the  steps  at  the  beginning  and  end  of  the  procedure  call. 
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4  Example  II:  Finding  a  Maximum 


Our  second  example  is  a  program  to  find  the  maximum  clement  in  an  integer  array.  It 
uses  a  subroutine  for  finding  the  maximum  of  two  elements.  Although  a  trivial  subroutine, 
this  will  nevertheless  serve  to  illustrate  many  aspects  of  the  offline  characterization,  not  to 
mention  honing  our  skills  at  giving  proofs  of  facts  involving  quantifiers.  The  target  program 
is 


procedure  findmaxtest  is 
size  :  integer; 
i  ;  integer; 
begin 

get (size) ; 
inner  : 

declare 

x  :  arrayd  ..  size)  of  integer; 

procedure  raax(i  :  in  integer;  n  :  in  out  integer)  is 
begin 

if  x(i)  >  n  then 
n  :=  x(i) ; 
end  if; 
end  max; 

procedure  findmax(m  :  in  out  integer)  is 
i  :  integer; 
begin 

m  :=  x(l) ; 
i  :=  2; 

while  i  <=  size  loop 
max(i ,  m) ; 
i  :*  i  +  1; 
end  loop; 
end  findmax; 
begin 

i  :=  1; 

while  i  <=  size  loop 
get(x(i)) ; 
i  :=  i  +  1; 
end  loop; 
f indmax(i) ; 
end  inner; 
put (i) ; 

end  findmaxtest; 

In  this  example  we  avoid  the  previous  procedure  bating  and  proving  a  state  delta  about 
the  entire  program.  Instead,  we  state  and  prove  a  state  delta,  as  an  Ada  lemma,  about  the 
findmax  procedure.  Since  findmax  itself  calls  another  procedure,  this  will  provide  ample 
oppoi  t unity  to  see  the  offline  characterization  feature  in  action.  In  this  way,  we  avoid  the 
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routine  and  tiresome  task  of  proving  facts  about  the  input  and  output  streams.  The  overall 
strategy  is  first  to  prove  a  lemma  about  the  max  procedure,  which  wiil  include  some  details 
needed  for  the  later  application.  Then  we  set  up  and  prove  a  lemma  about  f  indmax  itself. 
This  proof  involves  an  induction,  and  within  the  step  case  of  the  induction,  we  apply  the 
previously  proved  lemma  about  max. 


<sdvs.l>  adatr 

path  name[foo.ada]  :  tcstproofs/findmax.a 

Reading  parse  tree  file  for  Stage  2  Ada  file  —  Mf indmax. a" 

Translating  Stage  2  Ada  file  —  “testproofs/f indmax. a" 

<sdvs.2>  createadalemmn 

lemma  name:  max. lemma 
file  name:  tcstproofs/findmax.a 
subprogram  name:  max 
qualified  name:  findmaxtest.inner.max 
preconditioned  :  1  le  .max.i,.max.i  le  .size, 

exists  j  ((1  le  j  &  j  le  .size)  &  .xfj]  =  .n) 
mod  list  []  :  n 

postconditions:  =  .n  or  #n  =  .x[.max.ij,#n  ge  .n,#n  ge  .xf.max.i], 

exists  j  ((l  le  j  &  j  le  .size)  &  .x[j]  =  #n) 

createadalemma  —  [sd  pre:  ( .f indmaxtestXpc  *  at (f indmaxtest .inner. max) , 

1  le  .max.i, .max.i  le  .size, 
exists  j  ((1  le  j  A  j  le  .size)  ft  .x[j]  *  .n)) 
comod:  (all) 

mod:  (f indmaxtest \pc,n) 
post:  (#n  *  . n  or  in  »  .x[. max.i] ,#n  ge  ,n, 
in  ge  .XL.nax.i] , 

exists  j  ((1  le  j  ft  j  le  .size)  ft  .x[j]  *  in), 
ifindmaxtestNpc  *  exitedCf indmaxtest . inner. max))] 


The  symbol  i  is  declared  in  several  places  in  f  indmaxtest,  with  inner  declarations  shad¬ 
owing  outer  ones.  SDVS,  however,  needs  unique  names.  Therefore,  the  translator  inserts 
qualifications  to  distinguish  the  various  places  named  “i,”  and  so  we  have  max .  i  here  and 
later  f indmax. i.  Having  created  the  lemma,  our  next  step  is  to  prove  it. 

<sdvs.3>  proveadalemma 

Ada  lemma  name:  max. lemma 
proof  [] : 

open  —  [sd  pre:  (alldis joint (f indmaxtest f indmaxtest) , 

covering ( . f indmaxtest ,f indmaxtestXpc ,f indmaxtest \st din , 
findmaxtest\stdin\ctr,f indmaxtest Xstdout , 
f indmaxte8t\stdout\ctr , size , i , x) , 
declarefx, 

type (array ,origin(x) , range (x) , type (integer ) ) ) , 
declare (i, type (integer)) ,aeclare(size, type (integer)) , 

<adatr  max  (max.i,  ...);>) 
comod:  (all) 
mod:  (all) 
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post:  ([sd  pre:  (.f indmaxtest\pc  *  at (f indmaxtest . inner .max) , 

1  le  .max. i, .max.i  le  .size, 
exists  k  ((1  le  k  k  k  le  .size)  k 
•  x[k]  *  .n)) 

comod:  (all) 
nod:  (diff(all, 

dif f (unionCf indmaxtestXpc , 

f indmaxtest\stdin, 
f indmaxtest\stdin\ctr , 
f indmaxtest\stdout , 
f indnaxtest\stdout\ctr , size , i , 
x,max. i,n) 

union(findmaxtest\pc ,n)) ) ) 
post:  (#n  *  ,n  or  #n  =»  . x [.max. i]  , fn  ge  .n, 

#n  ge  .x[.max.  i]  , 
exists  k  (Cl  le  k  k  k  le  .size)  k 
•x[k]  «  #n) , 

#f indmaxtest\pc  *  exited (f indmaxtest . inner .max) )] )] 

instantiate  in  q(l)  —  all  top-level  existential  variables 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (findmaxtest\pc,f indmaxtest) 
post:  (alldisjoint (f indmaxtest , . f indmaxtest , max. i ,n) , 
covering (#f indmaxtest , . f indmaxtest ,max. i,n) , 
declare (max . i , type (integer) ) , 
declare (n, type (integer)) , 

<adatr  null;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (f indmaxtest\pc,max.i,n) 
post:  (#max.i=  .max.i,#n=  .n, 

<adatr  null;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (f indmaxtest\pc) 

post:  (#f inamaxtestXpc  *  at(f indmaxtest. inner .max) , 

<adatr  null;>)] 

go  —  breakpoint  reached 

open  —  [sd  pre:  ( .f indmaxtest\pc  =  at (f indmaxtest .inner. max) , 

1  le  .max . i, .max. i  le  .size, 
exists  k  ((1  le  k  k  k  le  .size)  k  .x[k]  =  .n)) 
comod:  (all) 
mod:  (dif f (all, 

dif f (union(f indmaxtest\pc ,f indmaxtest\stdin , 
f indmaxtest\stdin\ctr , 
f indmaxtcctNstdout , 

f indmaxtest \stdout\ctr, size, i,x , max. i , 

n)  , 

union (findmaxtestXpc ,n) ) ) ) 
post:  (#n  =  .n  or  #n  =  .x[ .max. i] ,#n  ge  .n, 

#n  ge  . x [ . max . ij , 
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exists  k  ((1  le  k  I  k  le  .size)  k  .x[k]  *  #n) , 

#f indmaxtestXpc  *  exited (findmaxtest.  inner .max))] 

<sdvs.3.5.1>  usable 

u(l)  [sd  pre:  (~ ( .xf.max.i]  gt  .n),.max.ige  l,.max.ile  .size) 
comod:  (all) 

mod:  (f indmaxtestXpc) 
post:  (<adatr  not  (x  (i)  >  n)>)] 

u(2)  [sd  pre:  (.xf.max.i]  gt  .n,.»ax.ige  l,.max.ile  .size) 
comod:  (all) 

mod:  (f indmaxtest\pc) 
post:  (<adatr  if  x  (i)  >  n 

then  n  :*  x  (i) ; 
end  if ; >) ) 


q(l)  exists  k  ((1  le  k  ft  k  le  size\18)  k  .x[k]  *  n\13) 

The  system  automatically  opens  a  state  delta  and  applies  state  deltas  to  create  the  envi¬ 
ronment  suitable  for  proving  max. lemma.  The  last  step  was  to  open  the  max. lemma  state 
delta.  Since  the  body  of  max  begins  with  an  if  statement,  the  usable  state  deltas  have 
preconditions  for  two  possibilities,  and  we  must  break  the  proof  into  two  cases. 

<sdvs.3.5.1>  cases 

case  predicate:  .xf.max.i]  gt  .n 

cases  —  .x[.max.i]  gt  .n 

open  —  [sd  pre:  (.x[.»ax.i]  gt  .n) 
comod:  (all) 
mod:  (diff (all* 

dif f (union(f indmaxtestXpc  *findmaxtest\Btdin, 
findmaxtestXstdinXctr, 
f indmaxtestXstdout * 
f indmaxte8t\stdout\ctr  *  size , i , x , 
max. i,n) , 

union (f indmaxtestXpc ,n) ) ) ) 

post:  (#n  ■  n\l3  or  fn  *  x\19,#n  ge  n\13,#n  ge  x\19, 
exists  k  ((1  le  k  ft  k  le  size\18)  k 
.x[k]  *  #n), 

#f indmaxtestNpc  *  exited(f indmaxtest .inner. max))] 

<sdvs. 3.5 . 1 . 1 . 1>  go 

until[]:  #fmdmaxtest\pc  =  cxiledffindmaxtest.inner.max) 

apply  —  [sd  pre:  (.x[.max.i]  gt  .n*.max.i  ge  l,.max.i  le  .size) 
comod:  (all) 

mod:  (lindmaxtestXpc) 
post:  (<adatr  if  x  (i)  >  n 

then  n  :*  x  (i) ; 
end  if;>)3 

apply  —  [sd  pre:  (.max.i  ge  l,.max.i  le  .size) 
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comod:  (all) 

mod:  (f indmaxtest\pcfn) 
post:  (#n  -  .x[.  max.i], 

<adatr  n  :*  x  (i) ;>)] 


apply  —  [sd  pre: 

comod: 
mod: 
post : 


(true) 

(all) 

(f indmaxtest\pc) 
(#f indmaxtest \pc 
<adatr  null;>)] 


exited(f indmaxtest . inner .max) , 


go  —  breakpoint  reached 


The  cases  command  set  up  the  environment  for  the  body  of  the  if  statement;  then  the  vjo 
command  advanced  symbolic  execution  to  the  end  of  the  max  procedure.  Now  we  must  see 
to  the  postcondition  to  be  established. 

<sdvs .  3 .5 . 1 . 1 .4>  whynotgoal 
simplify? [no] : 

g(4)  exists  k  ((1  le  k  ft  k  le  size\18)  ft  .x[k]  *  #n) 

<sdvs.3.5.1. 1.4>  usable 

u(l)  [sd  r\  e:  (true) 
comod:  (all) 

mod:  (f indmaxtest \pc ,n) 
post:  (#n  *  .n, 

<adatr  null;>)] 


q(l)  exists  k  ((1  le  k  ft  k  le  size\18)  ft  ,x[k]  =  n\13) 

<sdvs . 3 .5 . 1 . 1 .4>  ppeq 
expression:  ,n 
eqelass  =  x\19 

<sdvs .3.5. 1 . 1 ,4>  simp 
expression:  n\l3  =?  ,n 

false 


The  symbol  n\13  here  refers  to  the  original  value  of  n,  not  the  current  one.  To  prove  the 
goal  in  this  case,  we  note  that  .max.i  is  a  value  for  k  with  the  following  required  property: 

<sdvs.3 .5. 1 . 1.4>  instantiate 

existential  formula:  g 
number:  4 
existential  variable [J:  k 

instantiated  by:  .max.i 
existential  variable []: 

instantiate  in  goal  4  —  .max.i  for  k. 
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close  —  4  steps/applications 


open  —  [ad  pre:  (** ( .x[.max. i]  gt  .n)) 
coaod:  (all) 
mod:  (diff(all, 

dif  f  (union(f  indnaxtestXpc ,  f  indmaxtest\stdin , 
f indmaxtest\atdin\ctr ♦ 
f indaaxteatXstdout , 
f indmaxtest\stdout\ctr , size » i , x , 
max. i,n) , 

union (f indmaxtest\pc ,n) ) ) ) 

post:  (#n  -  n\13  or  in  ■  x\19,#n  ge  n\13»#n  ge  x\19, 
exists  k  ((1  le  k  ft  k  le  size\18)  ft 
.x[k]  -  in) , 

if indaaxtest\pc  ■  exited(f indaaxtest .inner. max))] 

Complete  the  proof. 

The  system  opens  the  other  case.  No  statements  are  executed  in  this  branch  of  the  if,  so 
the  proof  of  the  max. lemma  will  close  automatically. 

<sdvs. 3.5.1 .2. 1>  go 

until[]:  #findmaxtc$t\pc  =  exited(findmaxtest.inner.maT) 

apply  —  [sd  pre:  (~( .x[.nax. i]  gt  ,n),.max.i  ge  1, 

.nax.i  le  .size) 
coaod:  (all) 
aod:  (f indmaxtest \pc) 
post:  (<adatr  not  (x  (i)  >  n)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

Mod:  (f indaaxtest\pc) 

post:  (if indmaxtest \pc  *  exited(findmaxtest . inner. Max) , 

<adatr  null;>)] 

close  —  2  steps/applications 

join  —  [sd  pre:  (true) 
coaod:  (all) 
mod:  (diff(all, 

diff (union (f indmaxtest \pc,findMaxtest\stdin, 
f indMaxtest\stdin\ctr , 
f indmaxteat\stdout , 
f indMaxtest \stdout\ctr , size , i , x , 
max.i.n) , 

union (f indMaxtest \pc ,n) ) ) ) 

post:  (in  »  n\13  or  in  *  x\19,in  ge  n\13,in  ge  x\19, 

exists  k  ((1  le  k  k  k  le  size\18)  ft  .x[k]  -  in) , 
if indmaxtest\pc  *  ex ited(findaaxtest. inner. Max))] 

close  —  1  steps/applications 

close  —  5  steps/applications 

proveadalemma  —  [sd  pre:  ( .f indmaxtest\pc  *  at(f indmaxtest . inner .max) , 
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1  le  .max.  i,  .max.  i  le  .size, 
exists  k  ((1  le  k  k  k  le  .size)  k 
•  x[k]  «  .n)) 

comod:  (all) 

mod:  (f indmaxtest\pc,n) 
post:  (#n  =  .n  or  #n  =  .x[.max.i]  ,#n  ge  ,n, 

#n  ge  .x[.max. i] , 
exists  k  ((1  le  k  k  k  le  .size)  k 
. x [k]  *  #n) , 

#f indmaxtest\pc  *  exited (findmaxtest . inner .max))] 


Now  we  create  a  lemma  for  the  findmax  procedure  and  initiate  its  proof. 

<sdvs .  3>  creatcadalcm  ma 

lemma  name:  findmax. lemma 
file  name:  teslpr  oofs /findmax. a 
subprogram  name:  findmax 
qualified  name:  findmaxtest. inner. findmax 
preconditions []  :  t  le  .size 
mod  list[]:<  rn 

postconditions:  forall  j  (1  le  j  &  j  le  .size  ->  .x[j]  le  #rn)f 
exists  j  ((1  le  j  &  j  le  .size)  &  #m  =  .x[jj) 

createadalemma  —  [sd  pre:  ( . f indmaxtest\pc  *  at (findmaxtest . inner. findmax) , 

1  le  .size) 
comod:  (all) 

mod:  (f indmaxtest\pc ,m) 

post:  (forall  j  (1  le  j  k  j  le  .size  — >  .x[j]  le  #m) , 
exists  j  ((l  le  j  k  j  le  .size)  k 
#m  *  .x[j]), 

#f indmaxtest\pc 

=  exited (findmaxtest . inner .findmax))] 


<sdvs.4>  proveadalemma 

Ada  lemma  name:  findmax. lemma 
proof  []  : 


open  —  [sd  pre: 


comod: 
mod: 
post : 


(alldisjoint (findmaxtest , .findmaxtest) , 
covering( .findmaxtest ,findmaxtest\pc,findmaxtest\stdin, 
findmaxtest\stdin\ctr, findmaxtest \stdout , 
f indmaxtest\stdout\ctr ,size , i,x) , 
declare(x, 

type (array ,origin(x) ,range(x) ,type(integer)) ) , 
declare(i,type(integer))  ,declai*e(size ,type(integer))  , 
<adatr  findmax  (m);>) 

(all) 

(all) 

([sd  pre:-  ( .  f  indmaxtest\pc  =  at  (findmaxtest .  inner .  findmax)  , 
1  le  .size) 
comod:  (all) 

mod:  (diff (all, 

dif f (union(f indmaxtest\pc , 

f indmaxtest\stdin, 
f indmaxtest\stdin\ctr , 
f indmaxtest\stdout , 
f indmaxtest\stdout\ctr , size , i , 
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*,*)» 

union (f indnaxtest \pc ,n) ) ) ) 

post:  (forall  j  (1  le  j  I  j  le  .size  — >  .x[j]  le  #n) , 
exists  j  ((1  le  j  I  j  le  .size)  ft 
#a  ■  .x[j]), 

#f indnaxtest \pc 

»  ex it ed(f indnaxtest. inner .findnax))] )] 

instantiate  in  q(l)  —  all  top-level  existential  variables 

apply  —  [sd  pre:  (true) 
conod:  (all) 

■od:  (findmaxte6t\pc,f indnaxtest) 
post:  ( al Id is joint (f indnaxtest, .f indnaxtest ,n) , 
covering (#f indnaxtest , .f indnaxtest tn) , 
declare (n, type (integer)) , 

<adatr  null;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
nod:  (f indmaxtest\pc,n) 
post:  (#n  -  .n, 

<adatr  null;>)] 

apply  —  [sd  pre:  (true) 
conod:  (all) 
nod:  (f indnaxtest\pc) 

post:  (#findmaxtest\pc  *  at (f indnaxtest. inner. findnax) , 
<adatr  null;>)] 

go  —  breakpoint  reached 

open  —  [sd  pre:  ( .f indnaxtest\pc  *  at(f indnaxtest .inner. findnax) , 

1  le  .size) 
conod:  (all) 
nod:  (diff (all, 

dif f (union (f indnaxtest \pc ,f indnaxtest \st din, 
f indnaxtest\stdin\ctr , 
f indnaxtest \stdout , 
f indnaxtest \stdout\ctr , size , i , x , n) , 
union(f indnaxtest \pc ,n) ) ) ) 

post:  (forall  j  (1  le  j  ft  j  le  .size  — >  .x[j]  le  #n) , 
exists  j  ((1  le  j  ft  j  le  .size)  ft  #n  *  .x[j]), 
#findnaxtest\pc  -  exited(f indnaxtest . inner .findnax))] 

<sdvs.4.5.1>  usable 
No  usable  state  deltas. 


q(l)  exists  findnax. i  ([sd  pre:  (true) 

conod:  (all) 

nod:  (f indnaxtest \pc, findnax test) 
post :  (alldisjoint (f indnaxtest , . f indnaxtest , 
findnax. i) , 

covering (#f indnaxtest , .f indnaxtest , 
f indnax . i) , 
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declare (f indmax. i, type (integer)) f 
<adatr  i  :  integer>)]) 


<sdvs.4.5.1>  applydecls 

instantiate  in  q(l)  —  all  top-level  existential  variables 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (f indmaxtest \pc,f indmaxtest) 
post :  (al]disjoint (f indmaxtest , .f indmaxtest ,f indmax. i) , 
covering (#f indmaxtest , .f indmaxtest ,f indmax. i) , 
declare (f indmax. i, type (integer) ) , 

<adatr  i  :  integer>)] 

applydecls  —  declaration  elaboration  complete. 

<8dvs.4.5.3>  usable 

u(l)  [sd  pre:  (1  ge  1,1  le  .size) 
comod:  (all) 

mod:  (f indmaxtest \pc,m) 
post:  (#m  «  .x[i] , 

<adatr  m  :=»  x  (!);>)] 


No  usable  quantifiers. 

<sdvs.4.5.3>  go 

until[]:  .fmdmaxA  =  2 

apply  —  [sd  pre:  (1  ge  1,1  le  .size) 
comod:  (all) 

mod:  (f indmaxtest\pc ,m) 
post :  (#m  =  ,x[l] , 

<adatr  m  :=  x  (1) ;>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (f indmaxtest \pc,f indmax. i) 
post:  (#f indmax. i  =  2, 

<adatr  i  :=  2 ; >) ] 

go  —  no  more  declarations  or  statements 
<sdvs.4.5.5>  usable 


u(l)  [sd  pre:  ("( .f indmax, i  le  .size)) 
comod:  (all) 

mod:  (f indmaxtestNpc) 
post:  (<adatr  while  l  <=  size 
loop 

max  (i,  . . .) ; 
end  loop;>)] 

u(2)  [sd  pre:  (.findmax.i  le  .size) 
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comoa:  (all) 

mod:  (findaaxtest\pc) 
post:  (<adatr  while  i  <■  *iz« 
loop 
■ax  (i, 

end  loop;>)] 


No  usable  quantifiers. 


Symbolic  execution  is  now  at  the  entry  to  the  while  loop  in  f indmax.  We  prove  the  desired 
postcondition  of  this  loop  by  induction  on  f indmax. i  from  2  to  .size+1.  It  is  necessary 
to  provide  expressions  for  the  comod  and  mod  lists  of  the  induction  state  delta;  these 
lists,  even  when  evaluated  in  a  universe  temporarily  expanded  by  inner  declarations,  still 
specify  the  constancy  of  places  in  the  present  universe,  other  than  the  ones  listed,  and  also 
permit  the  modification  of  the  ones  listed  and  any  new  places  created  internally  to  the 
loop.  Calling  a  procedure  within  the  loop  involves  just  such  a  temporary  expansion  of  the 
universe.  We  assign  the  current  value  of  the  universe  of  places  to  a  variable  universel,  and 
then  an  expression  of  form  diff  (universal,  .  .  .)  can  define  the  set  of  places  that 

do  not  change,  even  when  the  expression  is  evaluated  in  a  universe  larger  than  universel. 
Similarly,  an  expression  of  the  form  diff  (all  .universel)  captures  all  the  places  that  have 
been  created  between  the  present  time  and  the  time  the  expression  is  evaluated.  We  also 
name  the  two  currently  usable  state  deltas: 

<sdvs.4.5.S>  let 

new  variable:  universel 

value:  .findmaxtest 

let  —  universel  *  .fincUiaxtest 

<sdvs.4.5.6>  letsd 

name:  loop.sdl 
state  delta:  u 
number :  1 

letsd  —  loop.sdl  *  u(l) 

<sdv8.4.5.7>  letsd 

name:  loop.sd2 
state  delta:  u 
number :  2 

letsd  —  loop.sd2  *  u(2) 

<sdvs.4.5.8>  induct 

induction  expression:  .findmax.i 
fro*:  2 

to:  .size  +  1 

invariant  list[]:  formula(loop.$dl  ),formuia(loop.sd2)} 
covering  (. findmaxtest,  universel ), 
forallj  (1  le  j  &  j  le  .findmax.i  -  /  -> 

.x[j]  le  .m), 

exists  j  ((l  le  j  &  j  te  .size)  &  .x[j]  =  .m) 

comodification  list[]  :  diff(universel,union(mtfindmax.iffindmaxlest\pc,findtnaxt€St)) 
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modification  list[]  :  mffindmax.i,findmaxtest,findmaxtest\pc,dtff (all, untversel) 
base  proof  □  : 
step  proof  []  : 

induction  —  .findmax.i  from  2  to  .size  +  1 

open  —  [sd  pre:  (true) 
comod:  (all) 

post:  (formula(loop.sdl) , formula (loop. sd2) , 
covering( .f indmaxtest , universe 1) , 
forall  j  (1  le  j  ft  j  le  .findmax.i  -  1 
— >  -x[j]  le  .m), 

exists  j  ((1  le  j  I  j  le  .size)  ft  .x[j]  *  .m) , 

.findmax.i  *  2)] 

We  now  supply  the  proof  for  the  base  case  of  the  induction.  After  we  prove  the  two  quantified 
statements,  the  base  case  will  close  automatically  and  the  system  will  initiate  the  proof  for 
the  step  case  of  the  induction. 

<sdvs.4.5.8. 1. 1>  whynotgoal 
simplify? [no] : 

g(4)  forall  j  (1  le  j  k  j  le  2  -  1  — >  .x[j]  le  x\50) 
g(5)  exists  j  ((1  le  j  ft  j  le  size\45)  ft  .x[j]  *  x\50) 

<sdvs .4.5.8 . 1 .  1>  instantiate 

existential  formula:  g 
number :  5 

existential  variable []:  j 
instantiated  by:  1 
existential  variable[]:< 

instantiate  in  goal  5  —  1  for  j. 

<sdvs.4.5.8. 1.2>  notice 
term:  forall  j(.x[l]  le  .m) 

notice  —  forall  j  (,x[l]  Je  .m) 

<sdvs .  4 . 5 . 8 . 1 . 3>  usablcquantifiers 

q(l)  forall  j  (x\50  le  x\50) 

<sdv8 . 4 . 5 . 8 . 1 . 3>  provebyqenerulization 

prove  universal  formula:  g 
number :  4 

number  of  universal  formulas:  1 
using  universal  formula:  q 
number:  t 

provebygeneralization  —  forall  j  (1  le  j  ft  j  le  2  -  1 

— >  .x[j]  le  x\50) 

close  —  3  steps/applications 

open  —  [sd  pre:  (.findmax.i  ge  2,. findmax.i  It  .size  +  1, 
f ormula(loop.sdl) ,formula(loop. sd2) , 
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cover ing (.fxndnaxtest, universe 1) t 
forall  j  (1  le  j  ft  j  le  .findnax.i  -  1 
— >  -x[j]  le  .a), 

exists  j  ((1  le  j  ft  j  le  .size)  ft  .x[j)  *  .»)) 
coaod:  (diff (universal, 

union(« , f indnax . i , f indnax test \pc , f indnaxtest) ) ) 
nod:  (*,f indnax. i,f indnaxtest ,f indnaxtest \pc * 
diff (all, universe!)) 

post:  ([sd  pre:  (“( .f indmax. i  le  .size)) 
coaod:  (all) 

aod:  (f indnaxtest\pc) 
post:  (<adatr  while  i  <*  size 
loop 

■ax  (i,  ...); 
end  loop;>)] , 

[sd  pre:  (.findnax.i  le  .size) 
conod:  (all) 

■od:  (f indnaxtest\pc) 
post:  (<adatr  while  i  <■  size 
loop 

■ax  (i»  . . .) ; 
end  loop;>)]t 

covering(#f indnaxtest, universal) , 
forall  j  (1  le  j  ft  j  le  if indnax. i  -  1 

— >  le  #*)» 

exists  j  ((1  le  j  ft  j  le  tsize)  ft  #x[j]  *  #m) , 
if indmax. i  *  .findnax.i  +  1)] 

Complete  the  proof. 


We  next  advance  to  the  point  where  the  procedure  call  is  made. 

<sdv8.4 .5.8 .2. 1>  go 

until  []:  #findmaxlest\pc  ~  at(fmdmaxtest. inner. max) 

apply  —  [sd  pre:  (.findnax.i  le  .size) 
conod:  (all) 

■od:  (f indnaxtest\pc) 
post:  (<adatr  while  i  <*  size 
loop 

■ax  (i,  ...); 
end  loop;>)] 

instantiate  in  q(l)  —  all  top-level  existential  variables 

apply  —  [sd  pre:  (true) 
conod:  (all) 

nod:  (findnaxtest\pc,f indnaxtest) 
post:  (alldisjoint(findnaxtest, .findaaxtest ,nax. i,n) , 
covering(#f indaaxtest, .f indnaxtest, nax.i,n) , 
declare (max . i , type ( integer) ) , 
declare (n , type ( integer) ) , 

<adatr  «ax  (i,  ...)>)] 
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apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (findmaxtest\pc,max. i,n) 
post:  (#max.i  *  ,f mdmax. i ,#n  =  .m, 

<adatr  max  (i,  ...)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod:  (1 indmaxtestYpc) 

post:  (#f indmaxtest \pc  *  at (f indmaxtest . inner .max) , 

<adatr  max  (i,  ...)>)] 

go  —  breakpoint  reached 

We  are  now  at  the  beginning  of  the  call  to  procedure  max;  the  call  has  been  partially 
processed  by  declaring  the  formal  variables  of  the  procedure  and  binding  to  them  the  values 
of  the  actual  arguments  in  the  procedure  call.  (The  last  state  delta  applied  simply  issued 
the  condition  that  informs  the  system  that  this  is  a  place  where  the  max. lemma  might  be 
applied.)  If  we  continue  to  apply  usable  state  deltas,  symbolic  execution  will  enter  the  body 
of  max.  Instead,  we  issue  the  invokeadalemma  command. 

<sdvs .  4 . 5 . 8 . 2 . 6>  invokeadalemma 
Ada  lemma  name:  max. lemma 

invokeadalemma  (no  apply)  —  [sd  pre:  ( .f indmaxtest \pc 

=  at(findmaxtest . inner .max) , 

1  le  .max.i, 

.max.i  le  .size, 
exists  k  ((1  le  k  & 

k  le  .size)  ft 
,x[k]  =  .n)) 

comod:  (all) 

mod:  (f indmaxtest\pc,n) 
post:  (#n  =  .n  or 

#n  =  . x[.max. i] , 

#n  ge  ,n, 

#n  ge  .x [.max.i] , 
exists  k  ((1  le  k  ft 

k  le  .size)  ft 
.  x[k]  =  #n) , 

#f indmaxtest \pc 

=  exited(f indmaxtest . inner .max) , 
<adatr  return ;>)] 

<sdvs.4.5.8.2.7>  usable 

u(l)  [sd  pre:  ( ,f indmaxtest\pc  =  at (f indmaxtest .inner. max) , 1  le  .max.i, 
max.i  le  .size, 

exists  k  ((1  le  k  ft  k  le  .size)  ft  .x[k]  =  .n)) 
comod:  (all) 

mod:  (f indmaxtest\pc,n) 

post:  (#n  =  .n  or  #n  =  .x[ .max. i] ,#n  ge  .n,#n  ge  .x[. max.i], 
exists  k  ((1  le  k  ft  k  le  .size)  ft  .x[k]  ®  #n) , 

#f indmaxtest\pc  =  exited(f indmaxtest. inner .max) , 
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<adatr  return ;>)] 


u(2)  [sd  pre:  ("  (  .  x  [  .ma*:.  i]  gt  .n),.max.i  ge  l,.max.i  le  .size) 
comod:  (all) 

mod:  (f indmaxtest\pc) 
post:  (<adatr  not  (x  (i)  >  n)>)] 

u(3)  [sd  pre:  (.x[.max.i]  gt  .n,.max.ige  l,.max.ile  .size) 
comod:  (all) 

mod:  (f indmaxtest\pc) 
post:  (<adatr  if  x  (i)  >  n 

then  n  :=  x  (i) ; 
end  if;>)] 


q(l)  exists  j  ((1  le  j  ft  j  le  size\45)  ft  .x[j]  -  m\62) 

q(2)  forall  j  (1  le  j  ft  j  le  findmax.i\61  -  1  — >  .x[j]  le  m\62) 

The  max. lemma  state  delta  was  added  to  the  usable  list,  but  was  not  applied.  Why  not? 

<sdvs.4.5.8.2.7>  why  not  apply 

state  delta[  highest  usable] :  u 
number:  / 

Because  the  follpwing  is  not  known  to  be  true  —  exists  k  ((1  le  k  ft 

k  le  .size)  ft 
.  x[k]  =  .n) 

The  problem  is  that  the  system  does  not  see  that  the  usable  quantified  formula  q ( 1 )  is 
equivalent  to  the  precondition  of  u(l).  In  this  case,  it  is  because  the  two  formulas  use  a 
different  bound  variable,  but  in  general  there  could  be  many  reasons.  For  the  purpose  of 
proving  the  needed  precondition,  we  create,  prove,  and  apply  a  statically  true  state  della. 

<sdvs.4.5.8.2.7>  prove 
state  delta: 

[SD  pre:  true 
comod[]  :  all 
mod[]  : 

post:  exists  k(l  le  k  &  k  le  .size  &  ,x[k]  =  .n) 

] 

proof  []  : 

open  —  [sd  pre:  (true) 
comod:  (all) 

post:*  (exists  k  ((1  le  k  ft  k  le  .size)  ft 
*  x [k]  =  .n))3 

Complete  the  proof. 

<sdvs  .4.5.8.2.7.1>  usabh  quantifiers 

q(l)  exists  j  ((1  le  j  ft  j  le  size\45)  ft  .x[j]  =  m\62) 

q(2)  forall  j  (1  le  j  ft  j  le  findmax.i\61  -  1  — >  .x[j]  le  ra\62) 
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<sdvs .4.5 .8.2.7. i>  tvhynotgoal 
simplify? [no] : 

g(l)  exists  k  ((1  le  k  ft  k  le  size\45)  ft  .x[k]  *  m\62) 

<sdvs  .4.5.8 .2. 7. 1>  instantiate 
existential  formula:  g 
number :  1 

existential  variable [] :  j 
instantiated  by:  jO 
existential  variable []: 

instantiate  in  q(l)  —  jO  for  j. 

<sdvs  .4.5. 8. 2. 7. 2>  instantiate 
existential  formula:  g 
number:  1 
existential  variable [] :  k 
instantiated  by:  jO 
existential  variable []: 

instantiate  in  goal  1  —  jO  for  k. 

close  —  2  steps/applications 

Complete  the  proof. 

<sdvs.4.5 .3 . 2. 8>  usable 

u(l)  [sd  pre:  (true) 
comod:  (all) 

post:  (exists  k  ((1  le  k  ft  k  le  .size)  ft  .x[k]  =  .n))] 

u(2)  [sd  pre:  ( .f indmaxtest\pc  =  at (findmaxtest . inner .max) , 1  le  .max.i, 
.max.i  le  .size, 

exists  k  ((1  le  k  ft  k  le  .size)  ft  .x[k]  =  .n)) 
comod:  (all) 
mod:  (f indmaxtest\pc,n) 

post:  (#n  =  .n  or  #n  *  .x[.max. i] ,#n  ge  ,n,#n  ge  .x[. max.i], 
exists  k  ((1  le  k  ft  k  le  .size)  ft  .x[k]  =  #n) , 

#f indmaxtest\pc  =  exited(f indmaxtest . inner .max) , 

<adatr  return; >)] 

u(3)  [sd  pre:  (~( .x [ .max.i]  gt  .n), .max.i  ge  1, .max.i  le  .size) 
comod:  (all) 

mod:  (f indmaxtest\pc) 
post:  (<adatr  not  (x  (i)  >  n)>)] 

u(4)  [sd  pre:  (.x[. max.i]  gt  .n,. max.i  ge  1, .max.i  le  .size) 
comod:  (all) 

mod:  (f indmaxtest\pc) 
post:  (<adatr  if  x  (i)  >  n 

then  n  : =  x  ^i) ; 
end  if;>)] 
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q(l)  exists  j  ((1  le  j  ft  j  le  size\45)  ft  .x[j]  »  m\62) 

q(2)  forall  j  (1  le  j  ft  j  le  findmax.i\61  -  1  — >  .x[j]  le  m\62) 

<sdvs.4.5 .8.2. 8>  whynotapply 

state  delta [  highest  usable]:  u 
number:  2 

Because  the  following  is  not  known  to  be  true  —  exists  k  ((1  le  k  ft 

k  le  .size)  ft 
• x [k]  =  .n) 

<sdvs .4.5 .8.2.8>  apply 

sd/nuober [highest  applicable/once]  :  u 

number:  1 

apply  —  [sd  pre:  (true) 
comod:  (all) 

post:  (exists  k  ((1  le  k  ft  k  le  .size)  ft 
.x[k]  *  .n))] 

<sdvs.4.5.8.2.9>  whynotapply 

state  delta[  highest  usable]:  u 
number :  2 

Quite  applicable. 

Having  proved  the  statically  true  state  delta,  we  applied  it  and  found  afterwards  that  u(2), 
which  is  the  max. lemma,  is  now  applicable. 

<sdvs.4,5.8.2.9>  apply 

sd/number [highest  applicable/once]:  it 

number :  2 

apply  —  [sd  pre:  ( . f indmaxtest\pc  =  at (findmaxtest . inner .max) , 

1  le  .max. i, .max. i  le  .size, 
exists  k  ((1  le  k  ft  k  le  .size)  ft 
,x[k]  =  .n)) 

comod:  (all) 

mod:  (f indmaxtest\pc,n) 
post:  (#n  =  .n  or  #n  =  . x[.max. i] ,#n  ge  .n, 

#n  ge  .x[.max.i] , 
exists  k  ((1  le  k  ft  k  le  .size)  ft 
. x[k]  =  #n) , 

#f indmaxtest\pc  =  exited(f indmaxtest . inner . max) , 

<adatr  return; >)] 

non-trivial  propagations  —  n\75  =  m\62  or  n\75  =  x\74 

<sdvs . 4 . 5 . 8 . 2. 10>  go 

untilG:  flfituhnax.i  =  .fitidmax.i  +  1 

apply  —  [sd  pre:  (true) 
comod:  (all) 

mod;  (findm<ixLest\pc) 

post:  (#f indmaxtest\pc  =  exited(f indmaxtest . inner .max) , 

<adatr  max  (i,  ...)>)] 

apply  —  [sd  pre:  (true) 
comod:  (all) 
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mod:  (f indmaxtest\pc,m) 
post:  (#m  *  .n, 

<adatr  max  (i,  . . .)>)] 


apply  —  [sd  pre: 

comod: 
mod: 
post : 


(true) 

(all) 

(f indmaxtest\pc , f indmaxtest , max . i , n) 
(covering( .f indmaxtest ,#f indmaxtest ,max. i ,n) , 
uiideclare  (max .  i  ,n)  , 

<adatr  max  (i,  . . . )>)] 


apply  --  [sd  pre: 

comod: 

mod: 
post : 


(true) 

(all) 

(f indmaxtest\pc , f indmax . i) 

(#f indmax. i  =*  . f  indmax.  i  +  1, 
<adatr  i  i  +  1 ;>)] 


go  —  breakpoint  reached 


After  the  application  of  the  max. lemma,  the  go  command  has  advanced  symbolic  execution 
to  the  end  of  the  while  loop.  Here,  we  have  to  prove  the  postconditions  necessary  to  close 
the  induction. 

<sdvs  .4.5.8. 2. 14>  usable 

u(l)  [sd  pre:  (~( ,f indmax. i  le  .size)) 
comod:  (all) 

mod:  (f indmaxtest \pc) 
post:  (<adatr  while  i  <=  size 
loop 

max  (i,  . .  .)  ; 
end  loop;>)] 

u(2)  [sd  pre*  (.findmax.i  le  .size) 
comod:;  (all) 

mod:  (f indmaxtest \pc) 
post:  (<adatr  while  i  <=  size 
loop 

max  (i,  . . . ) ; 
end  loop;>)] 

q(l)  exists  k  ((1  le  k  ft  k  le  size\45)  ft  .x[k]  =  n\75) 

q(2)  exists  k  ((1  le  k  ft  k  le  size\45)  ft  .x[k]  =  m\62) 

q(3)  exists  j  ((1  le  j  ft  j  le  size\45)  ft  .x[j]  =  m\62) 

q(4)  fox  all  j  (1  le  j  ft  j  le  findmax . i\61  -  1  — >  .x[j]  le  m\62) 

<sdvs .  4 . 5 . 8 . 2 . 14>  whynotgoal 
simplify? [no] : 

g(4)  forall  j  (1  le  j  ft  j  le  #fmdmax.i  -  1  — >  #x[j]  le  #ra) 


g (5)  exists  j  ((1  le  j  ft  j  le  #size)  ft  #x[j]  =  #m) 

<sdvs .4 .5 .8 . 2. 14>  ppcq 
expression:  ,tn 

eqclass  =  n\75 

<sdvs  .4 .5 .8. 2. 14>  instantiate 
existential  formula:  q 
number :  / 

existential  variable [] :  k 
instantiated  by:  jl 
existential  variable []: 

instantiate  in  q(l)  —  jl  for  k. 

non-trivial  propagations  —  x\83  -  m\62  or  x\83  =  x\74 

<sdvs.4 .5 .8 . 2. 15>  instantiate 
existential  formula:  g 
number:  5 
existential  variable []:  j 
instantiated  by:  jl 
existential  variable[]:< 

instantiate  in  goal  5  —  jl  for  j. 

non-trivial  propagations  —  x\83  =  m\62  or  x\83  *  x\74 


That  takes  care  of  the  existential  goal.  Now  what  of  the  universal  one? 

<sdvs  .4.5 .8 . 2. 16>  whynotgoal 
simplify? [no]  : 

g(4)  forall  j  (1  le  j  ft  j  le  #findmax.i  -  1  — >  #x[j]  le  #m) 

<sdvs .  4 . 5 . 8 . 2 . 16>  usablcquantijicrs 

q(l)  exists  k  ((1  le  k  ft  k  le  size\45)  ft  .x[k]  =  n\75) 

q(2)  exists  k  ((1  le  k  ft  k  le  size\45)  ft  .x[k]  =  m\62) 

q (3 )  exists  j  ((1  le  j  ft  j  le  size\45)  ft  .x[j]  =  m\62) 

q(4)  forall  j  (1  le  j  ft  j  le  findmax.i\61  -  1  — >  . x [ j ]  le  m\62) 

<sdvs.4.5.8. 2. 16>  ppcq 
expression:-  .findmar.i 

eqclass  =  1  +  f indmax. i\61 
f indmax. i\61  +  1 


This  shows  that  q(4)  will  not.  suffice  for  g(4);  it  only  covers  the  values  of  j  through 
.findmax.i  -  2,  whereas  we  need  values  through  .findmax.i  -  1.  So  we  create  another 
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universal  formula  to  deal  with  the  case  j  .f indmax. i  -  1,  and  then  use  a  provebygeneral- 
izaiion  command  to  prove  g(4). 

<sdvs  .4.5 .8 . 2. 16>  notice 

term:  forall  j(.x[.findmax.i-l]  le  .m) 

notice  -  *orall  j  ( .x[. f indmax. i  -  1]  le  .m) 

non-trivial  propagations  —  x\83  *  m\62  or  x\83  =  x\74 

<sdvs ,  4 . 5 . 8 . 2 . 17>  usablequantifiers 

q(l)  forall  j  (x\74  le  n\75) 

q(2)  exists  k  ((1  le  k  ft  k  le  size\45)  ft  .x[k]  *  n\75) 

q ( 3)  exists  k  ((1  le  k  ft  k  le  size\45)  I  .x[k]  *  m\62) 

q(4)  exists  j  ((1  le  j  ft  j  le  size\45)  ft  .x[j]  *  m\62) 

q(5)  forall  j  (1  le  j  ft  j  le  f indmax.  i\61  -  1  — >  .x[j]  le  m\62) 

Csdvs .  4 . 5 . 8 . 2 . 17>  provebygeneralization 
prove  universal  formula:  g 
number :  4 

number  of  universal  formulas:  2 
using  universal  formula:  q 
number:  1 
using  universal  formula:  q 
number :  5 

provebygeneralization  —  forall  j  (1  le  j  ft 

j  le  (1  +  f indmax. i\61)  -  1 
— >  .x[j]  le  n\75) 

non-trivial  propagations  —  x\83  =  m\62  or  x\83  =  x\74 

close  —  17  steps/applications 

join  induction  cases  —  [sd  pre:  (2  le  .size  +  1) 

comod:  (all, 

diff (universel , 

union(m,f Indmax. i, 

f indmaxtest\pc , 
f indmaxtest)) ) 

mod:  (m,f indmax. i,f indmaxtest , 

f indmaxtest \pc , diff (all , universel) ) 
post;  (#f indmax. i  =  .size  +1, 
formula(loop.sdl) , 
formula(loop.sd2) , 
covering(#f indmaxtest , universel) , 
forall  j  (1  le  j  ft 

j  le  #f indmax. i  -  1 
— >  #x[j]  le  #m) , 
exists  j  ((1  le  j  ft  j  le  #size)  ft 
#x[j]  =  #m) )] 

Complete  the  proof. 
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<sdv0.4.5.9>  go 

until  []:  #findmaxtcst\pc  =  exited(findmaitcst.  inner. findmax) 


apply  — 


[sd  pre:  (“( .findmax. i  le  .size)) 
comod:  (all) 

mod:  (f indmaxtest \pc) 
post:  (<adatr  while  i  <»  size 
loop 

max  (i*  . . .) ; 


end  loop;>)] 


apply  — 


[sd  pre: 
comod: 
mod: 
post: 


(true) 

(all) 

(f indmaxtest\pc ,f indmaxtest , findmax. i) 
(covering( .f indmaxtest ,#f indmaxtest ,findmax . i) , 
undeclare ( f indraax. i) , 

<adatr  i  :  integer>)] 


apply  —  [sd  pre: 

comod: 
mod: 
post : 


(true) 

(all) 

(f indmaxtest\pc) 
(#f indmaxtest\pc 
<adatr  null;>)] 


exited(f indmaxtest . inner -findmax) , 


go  —  breakpoint  reached 


Once  the  goals  were  proved,  the  induction  closed  automatically;  the  subsequent  go  command 
has  brought  us  to  the  end  of  findmax.  Now  we  only  have  to  prove  the  postconditions  of 
findmax.  lemma  itself.  This  is  handled  easily  by  the  instantiation  and  provehygcncralization 
commands. 

<sdvs,4 .5. 12>  whynotgoal 
simplify? [no] : 

g(l)  forall  j  (1  le  j  ft  j  le  size\45  — >  .x[j]  le  #m) 
g(2)  exists  j  ((1  le  j  ft  j  le  size\45)  ft  #m  *  .x[j]) 

<sdvs.4.5. 12>  ttsablequantificrs 

q(  1 )  exists  j  (U  le  j  ft  j  le  size\45)  ft  .x[j]  =  m\87) 

q(2)  forall  j  (1  le  j  ft  j  le  (1  +  size\45)  -  1  — >  .x[j]  le  m\87) 

<sdvs .  4 . 5 . 12>  provcbygeneraltzaiton 

prove  imiversal  formula:  g 
number:  1 

nuiuber  of  universal  formulas:  1 
using  universal  formula:  q 
number:-  2 

provebygeneralizat.ion  —  forall  j  (1  le  j  ft  j  le  size\45 

— >  .x[j]  le  m\87) 

<sdvs .  4 . 5 . 13>  usablcquantificrs 
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q(l)  forall  j  (1  le  j  I  j  le  size\45  — >  .x[j]  le  m\87) 

q(2)  exists  j  ((1  le  j  ft  j  le  size\45)  ft  .x[j]  =  m\87) 

q(3)  forall  j  (1  le  j  ft  j  le  (1  +  size\45)  -  1  — >  .x[j]  le  m\87) 

<sdvs.4.5. 13>  instantiate 

existential  formula:  q 
number :  2 
existential  variable []:  j 
instantiated  by:  j2 
existential  variable []: 

instantiate  in  q(2)  —  j2  for  j. 

<sdvs.4.5. 14>  instantiate 

existential  formula*  g 
number:  2 
existential  variable []:  j 
instantiated  by:  j2 
existential  variable []: 

instantiate  in  goal  2  —  j2  for  j . 

close  —  14  steps/applications 

close  —  5  steps/applications 

proveadalemma  —  [sd  pre:  ( .f indmaxtest\pc  =  at (f indmaxtest . inner .f indmax) , 

1  le  .size) 
comod:  (all) 

mod:  (f indmaxtest\pc ,m) 

post:  (forall  j  (1  le  j  ft  j  le  .size  — >  .x[j]  le  #m) , 
exists  j  ((1  le  j  ft  j  le  .size)  ft 
#m  =  .x[j]), 

#f indmaxtestNpc 

*  exit ed(f indmaxtest .inner. f indmax))] 

<sdvs .4> 


The  proof  of  f  indmax. lemma  is  complete.  The  saved  form  of  it  follows: 

;  Syntax:  Common-lisp;  Package:  USER;  Mode:  LISP  -*-“7, 

(def proof  f indmax, proof 

" (adatr  \Mtestproof s/f indmax. a\M , 
createadalemma  max. lemma 

file:  V'testproof s/f indmax. a\M 
procedure:  max 

qualified  name:  f indmaxtest . inner .max 

precondition:  (1  le  .max.i, .max.i  le  .size, 
exists  k  ((1  le  k  ft  k  le  .size)  ft  .x[k]  =  ,n)) 
mod  list:  (n) 

postcondition:  (#n  =  .n  or  #n  =  ,x[. max.i] ,#n  ge  .n,#n  ge  . x[. max.i], 
exists  k  ((1  le  k  ft  k  le  .size)  ft  .x[k]  =  #n)), 


prove adalemma  max. lemma 
proof : 

cases  .x[.max.i]  gt  .n 
then  proof: 

(go  #f  indmaxtestWpc  =  exited (findmaxtest . inner .max) , 
instantiate  (k=.max.i)  in  g(4)) 

else  proof:  go  #f  indmaxtestWpc  =  exited  (findmaxtest .  inner  .max)  , 
createadalemma  findmax. lemma 

file:  V'testproofs/f indmax. a\M 
procedure:  findmax 

qualified  name:  findmax test . inner .findmax 
precondition:  (1  le  .size) 
mod  list:  (m) 

postcondition:  (forall  j  (1  le  j  ft  j  le  .size  — >  .x[j]  le  #m) , 
exists  j  ((1  le  j  ft  j  le  .size)  ft  #m  *  .x[j])), 
proveadalemma  findmax. lemma 
proof : 

(applydecls, 
go  .findmax. i  =  2, 
let  universel  =  .findmaxtest, 
letsd  loop.sdl  =  u(l), 
letsa  loop.sd2  =  u(2), 
induct  on:  .findmax. i 

from:  2 

to:  .size  +  1 

invariants:  (formula(loop.sdl) .formula (loop. sd2) , 
coveringC .findmaxtest, universel)  f 

forall  j  (1  le  j  ft  j  le  .findmax. i  -  1  — >  .x[j]  le  .m), 
exists  j  ((1  le  j  ft  j  le  .size)  ft  .x[j]  *  .m)) 
comodlist:  (diff (universel , 

union (m , f  .indmax .  i ,  f  indmaxtestWpc  , f  Indmaxtest)  ) ) 
modlist :  (m,f  indmax.  i, findmaxtest ,f  indmaxtestWpc, 

dif  f  (o'!  1  .universel)) 
base  proof : 

(instantiate  (j*-l)  in  g(5), 
notice  forall  j  (.x[l]  le  .m) , 
provebygeneralization  g(4) 
using:  (q(l))) 
step  proof: 

(go  #f  indmaxtestWpc  =  at  (findmaxtest .inner .max) , 
invokeadalemma  max. lemma, 
prove  [sd  pre:  (true) 
comod:  (all) 

post:  (exists  k  ((1  le  k  ft  k  le  .size)  ft 
.x[k]  =  .n))] 
proof  :* 

(instantiate  (j-jO)  in  q(l), 
instantiate  (k=jO)  in  g(l)), 
apply  u(l) , 
apply  u(2) , 

go  #f indmax. i  =  .findmax. i  +  1, 
instantiate  (k=jl)  in  q(l), 
instantiate  (j=jl)  in  g(5), 
notice  forall  j  ( .x[. findmax. i  -  1]  le  .m), 
provebygeneralization  g(4) 
using:  (qr  ^ ,q(5))) , 

go  #fii  ssaictestWpc  =  exited  (findmaxtest .  inner .  findmax) , 
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provebygeneralization  g(l) 
using:  (q(2)), 
instantiate  (j=j2)  in  q(2) , 
instantiate  (j=j2)  in  g(2)))") 


5  Conclusions 


This  prototype  offline  characterization  mechanism  has  been  shown  to  be  useful  in  eliminat¬ 
ing  some  of  the  steps  formerly  required  of  proofs  involving  Ada  procedure  calls.  Through 
the  examples  presented  here,  it  is  shown  to  work  effectively  in  some  simple  contexts.  Its 
eventual  usefulness  is  not  entirely  apparent,  as  only  a  few  examples  have  been  performed, 
and  those  examples  do  not  involve  complex  procedures  that  are  called  at  more  than  one 
place.  The  utility  of  this  feature  should  become  more  clear  when  we  scale  up  to  prove  the 
correctness  of  large  Ada  programs,  where  characterization  of  subroutines  will  play  a  much 
larger  role  in  proof  organization  and  efficiency.  Another  important  consideration  is  the 
modularization  of  the  proofs — as  programs  get  larger,  the  corresponding  proofs  get  longer 
and  more  difficult  to  follow.  The  offline  characterization  mechanism  should  do  much  to 
ameliorate  this  difficulty. 
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